lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 May 2011 18:16:35 +0200 From: Eric Dumazet <eric.dumazet@...il.com> To: Tom Herbert <therbert@...gle.com> Cc: davem@...emloft.net, netdev@...r.kernel.org Subject: Re: [PATCH 4/4] rps: Inspect GRE encapsulated packets to get flow hash Le jeudi 19 mai 2011 à 08:39 -0700, Tom Herbert a écrit : > Crack open GRE packets in __skb_get_rxhash to compute 4-tuple hash on > in encapsulated packet. Note that this is used only when the > __skb_get_rxhash is taken, in particular only when the device does > not compute provide the rxhash (ie. feature is disabled). > > This was tested by creating a single GRE tunnel between two 16 core > AMD machines. 200 netperf TCP_RR streams were ran with 1 byte > request and response size. > > Without patch: 157497 tps, 50/90/99% latencies 1250/1292/1364 usecs > With patch: 325896 tps, 50/90/99% latencies 603/848/1169 > > Signed-off-by: Tom Herbert <therbert@...gle.com> > --- > net/core/dev.c | 22 ++++++++++++++++++++++ > 1 files changed, 22 insertions(+), 0 deletions(-) > > diff --git a/net/core/dev.c b/net/core/dev.c > index 0c83494..7799bbd 100644 > --- a/net/core/dev.c > +++ b/net/core/dev.c > @@ -2552,6 +2552,28 @@ again: > } > > switch (ip_proto) { > + case IPPROTO_GRE: > + if (pskb_may_pull(skb, nhoff + 16)) { > + u8 *h = skb->data + nhoff; > + __be16 flags = *(__be16 *)h; > + > + /* > + * Only look inside GRE if version zero and no > + * routing > + */ > + if (!(flags & (GRE_VERSION|GRE_ROUTING))) { > + proto = *(__be16 *)(h + 2); > + nhoff += 4; > + if (flags & GRE_CSUM) > + nhoff += 4; > + if (flags & GRE_KEY) > + nhoff += 4; > + if (flags & GRE_SEQ) > + nhoff += 4; > + goto again; > + } > + } > + break; > default: > break; > } Hi Tom For sure it helps if this machine is the final host for these packets. If I am a firewall or router [and not looking into GRE packets], maybe I dont want to spread all packets received on a tunnel to several cpus and reorder them when forwarded. Maybe we need to add a table, so that upper layer (GRE or IPIP tunnels) can instruct __skb_get_rxhash() that we want to deep inspect packets. 1) Say we keep rxhash first evaluation be the one we have today. 2) Do a hash lookup in a new table to tell if upper layer handled a previous packet for this first level flow and want more inspection. 3) table could contains 'pointers' to decoding function, that would recompute a new rxhash function. 4) Find a way to "clean the table", garbage collect or expirations times can do. This way we can add stuff in GRE and IPIP modules [and other kind of tunnels], without layer violations ? -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists